CVE-2025-64677

Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.

high 8.2 CVSS 3.1
Published: Dec 18, 2025
Modified: Jan 16, 2026
Vendor: Microsoft
Product: Office Out-Of-Box Experience

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.

References

Related CVEs

CVE-2025-64675 high · 8.3
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-65041 critical · 10.0
Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-65037 critical · 10.0
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
CVE-2025-65046 low · 3.1
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2025-64663 critical · 9.9
Custom Question Answering Elevation of Privilege Vulnerability
CVE-2025-64676 high · 7.2
'.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network.